A new sensational discovered has been announced by Kaspersky Lab’s Global Research & Analysis Team result of an investigation after several attacks hit computer networks of various international diplomatic service agencies.

A new large scale cyber-espionage operation has been discovered, named Red October, name inspired by famous novel The Hunt For The Red October (ROCRA) and chosen because the investigation started last October.

The campaign hit hundreds of machines belonging to following categories:

Government

Diplomatic / embassies

Research institutions

Trade and commerce

Nuclear / energy research

Oil and gas companies

Aerospace

Military

The attackers have targeted various devices such as enterprise network equipment and mobile devices (Windows Mobile, iPhone, Nokia), hijacking files from removable disk drives, stealing e-mail databases from local Outlook storage or remote POP/IMAP server and siphoning files from local network FTP servers.

According security experts involved in the investigation the cyber-espionage campaign was started since 2007 and is still active, during this long period the attackers obtained a huge quantity of information such as service credentials that hav been reused in later attacks.

The control structure discovered is very complex and extended, more than 60 domain names and several server hosting located in many countries mainly Germany and Russia. A particularity of the C&C architecture is that the network is arranged to hide the mothership-server true proxy functionality of every node in the malicious structure.

Security experts were able to sinkhole six of the 60 domains used during the period 2 Nov 2012 - 10 Jan 2013, registering over 55,000 connections to the sinkhole from 250 different victim’s IPs from 39 different countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.

Red October Geo-distribution of victims

Which are the vulnerabilities exploited for the attacks?

The security expert discovered that at least three different known vulnerabilities have been exploited

CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]

CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]

CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]

Evidences collected during the investigation let security specialists to believe that attackers have Russian origins, but strangely they appear unrelated to any other cyber attacks detected until now. The exploits appear to have been created by Chinese hackers.

Attack Method

These attacks is structured in two distinct phases according a classic schema of targeted attacks:

Initial infection

Additional modules deployed for intelligence gathering

In the initial phase the malware is delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers, after the malware receives from the C&C server a number of additional spy modules.

The way to infect entire network is very efficient, the hackers used a module to scan target infrastructure searching for vulnerable machines. The attacks against each machine and related services is made exploiting the above vulnerabilities or gaining access to it using credentials collected during other attacks of the same campaign. The exploits appear to have been created by Chinese hackers.

What alarms me is that such campaigns could be going on for years with disastrous consequences ... what to do at this point? How is it possible that an operation so extended escape for so long to world wide security community? Who is behind the attacks? Cyber criminals or state-sponsored hackers?

The developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a ‘t’. I ran 13 IPs listed in Kaspersky’s report against the RBN list maintained by James McQuade and found matching IP blocks for five of them:

Malicious servers

178.63.208.49 matches to 178.63.

188.40.19.247 matches to 188.40.

78.46.173.15 matches to 78.46.

88.198.30.44 matches to 88.198.

Mini-motherships

91.226.31.40 matches to 91.226.

It has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it’s going to be one of the most important discoveries of the decade.